def get_cloud_access_credentials(self, cloudauthz, sa_session, user_id, request=None): """ This method leverages CloudAuthz (https://github.com/galaxyproject/cloudauthz) to request a cloud-based resource provider (e.g., Amazon AWS, Microsoft Azure) for temporary access credentials to a given resource. It first checks if a cloudauthz config with the given ID (`authz_id`) is available and can be assumed by the user, and raises an exception if either is false. Otherwise, it then extends the cloudauthz configuration as required by the CloudAuthz library for the provider specified in the configuration. For instance, it adds on-the-fly values such as a valid OpenID Connect identity token, as required by CloudAuthz for AWS. Then requests temporary credentials from the CloudAuthz library using the updated configuration. :type cloudauthz: CloudAuthz :param cloudauthz: an instance of CloudAuthz to be used for getting temporary credentials. :type sa_session: sqlalchemy.orm.scoping.scoped_session :param sa_session: SQLAlchemy database handle. :type user_id: int :param user_id: Decoded Galaxy user ID. :type request: galaxy.web.framework.base.Request :param request: Encapsulated HTTP(S) request. :rtype: dict :return: a dictionary containing credentials to access a cloud-based resource provider. See CloudAuthz (https://github.com/galaxyproject/cloudauthz) for details on the content of this dictionary. """ config = self._extend_cloudauthz_config(cloudauthz, request, sa_session, user_id) try: ca = CloudAuthz() log.info( "Requesting credentials using CloudAuthz with config id `{}` on be half of user `{}`." .format(cloudauthz.id, user_id)) credentials = ca.authorize(cloudauthz.provider, config) return credentials except CloudAuthzBaseException as e: log.info(e) raise exceptions.AuthenticationFailed(e) except NotImplementedError as e: log.info(e) raise exceptions.RequestParameterInvalidException(e)
def get_cloud_access_credentials(self, cloudauthz, sa_session, user_id, request=None): """ This method leverages CloudAuthz (https://github.com/galaxyproject/cloudauthz) to request a cloud-based resource provider (e.g., Amazon AWS, Microsoft Azure) for temporary access credentials to a given resource. It first checks if a cloudauthz config with the given ID (`authz_id`) is available and can be assumed by the user, and raises an exception if either is false. Otherwise, it then extends the cloudauthz configuration as required by the CloudAuthz library for the provider specified in the configuration. For instance, it adds on-the-fly values such as a valid OpenID Connect identity token, as required by CloudAuthz for AWS. Then requests temporary credentials from the CloudAuthz library using the updated configuration. :type cloudauthz: CloudAuthz :param cloudauthz: an instance of CloudAuthz to be used for getting temporary credentials. :type sa_session: sqlalchemy.orm.scoping.scoped_session :param sa_session: SQLAlchemy database handle. :type user_id: int :param user_id: Decoded Galaxy user ID. :type request: galaxy.web.framework.base.Request :param request: Encapsulated HTTP(S) request. :rtype: dict :return: a dictionary containing credentials to access a cloud-based resource provider. See CloudAuthz (https://github.com/galaxyproject/cloudauthz) for details on the content of this dictionary. """ config = self._extend_cloudauthz_config(cloudauthz, request, sa_session, user_id) try: ca = CloudAuthz() log.info("Requesting credentials using CloudAuthz with config id `{}` on be half of user `{}`.".format( cloudauthz.id, user_id)) return ca.authorize(cloudauthz.provider, config) except CloudAuthzBaseException as e: log.info(e) raise exceptions.AuthenticationFailed(e)